# Enumeration ## Tools SharpView: (aggressor ) PowerView: (tips ) (dev: ) ADModule: (To use ActiveDirectory module without installing RSAT, we can use Import-Module for the valid ActiveDirectory module DLL) ## Domain #### Get Domain {% tabs %} {% tab title="PowerView" %} ``` Get-NetDomain Get-NetDomain -Domain domain.local ``` {% endtab %} {% tab title="ADModule" %} ``` Get-ADDomain Get-ADDomain -Identity domain.local ``` {% endtab %} {% endtabs %} #### Get Domain SID {% tabs %} {% tab title="PowerView" %} ``` Get-DomainSID Get-DomainSID -Domain domain.local ``` {% endtab %} {% tab title="ADModule" %} ``` (Get-ADDomain).DomainSID (Get-ADDomain -Identity domain.local).DomainSID ``` {% endtab %} {% endtabs %} #### Get Domain Policy {% tabs %} {% tab title="PowerView" %} ``` Get-DomainPolicy (Get-DomainPolicy)."system access" (Get-DomainPolicy –domain moneycorp.local)."system access" ``` {% endtab %} {% endtabs %} #### Get DCs {% tabs %} {% tab title="PowerView" %} ``` Get-NetDomainController Get-NetDomainController –Domain moneycorp.local ``` {% endtab %} {% tab title="ADModule" %} ``` Get-ADDomainController Get-ADDomainController -DomainName moneycorp.local -Discover ``` {% endtab %} {% endtabs %} ## Users #### Get a list of users in the current domain {% tabs %} {% tab title="PowerView" %} ``` Get-NetUser Get-NetUser –Username student1 ``` {% endtab %} {% tab title="ADModule" %} ``` Get-ADUser -Filter * -Properties * Get-ADUser -Identity student1 -Properties * ``` {% endtab %} {% endtabs %} #### Get a list of all properties for users within domain {% tabs %} {% tab title="PowerView" %} ``` # Lists all properties available Get-UserProperty # Gets the value of a property for all users in domain Get-UserProperty –Properties pwdlastset ``` {% endtab %} {% tab title="ADModule" %} ``` Get-ADUser -Filter * -Properties * | select -First 1 | Get-Member MemberType *Property | select Name Get-ADUser -Filter * -Properties * | select name,@{expression={[datetime]::fromFileTime($_.pwdlastset)}} ``` {% endtab %} {% endtabs %} #### Search for particular string in users attribute {% tabs %} {% tab title="PowerView" %} ``` Find-UserField -SearchField Description -SearchTerm "built" ``` {% endtab %} {% tab title="ADModule" %} ``` Get-ADUser -Filter 'Description -like "*built*"' Properties Description | select name,Description ``` {% endtab %} {% endtabs %} ## Groups #### Get all groups in current domain {% tabs %} {% tab title="PowerView" %} ``` Get-NetGroup Get-NetGroup –Domain Get-NetGroup –FullData ``` {% endtab %} {% tab title="ADModule" %} ``` Get-ADGroup -Filter * | select Name Get-ADGroup -Filter * -Properties * ``` {% endtab %} {% endtabs %} #### Get all groups containing admin in current domain {% tabs %} {% tab title="PowerView" %} ``` Get-NetGroup *admin* ``` {% endtab %} {% tab title="ADModule" %} ``` Get-ADGroup -Filter 'Name -like "*admin*"' | select Name ``` {% endtab %} {% endtabs %} #### Get members of domain admin group {% tabs %} {% tab title="PowerView" %} ``` Get-NetGroupMember -GroupName "Domain Admins" -Recurse ``` {% endtab %} {% tab title="ADModule" %} ``` Get-ADGroupMember -Identity "Domain Admins" -Recursive ``` {% endtab %} {% endtabs %} #### Get the group membership for a user {% tabs %} {% tab title="PowerView" %} ``` Get-NetGroup –UserName "student1" ``` {% endtab %} {% tab title="ADModule" %} ``` Get-ADPrincipalGroupMembership -Identity student1 ``` {% endtab %} {% endtabs %} ## Computers / Sessions #### Get a list of computers in current domain {% tabs %} {% tab title="PowerView" %} ``` Get-NetComputer Get-NetComputer –OperatingSystem "*Server 2016*" Get-NetComputer -Ping Get-NetComputer -FullData ``` {% endtab %} {% tab title="ADModule" %} ``` Get-ADComputer -Filter * | select Name Get-ADComputer -Filter 'OperatingSystem -like "*Server 2016*"' Properties OperatingSystem | select Name,OperatingSystem Get-ADComputer -Filter * -Properties DNSHostName | %{TestConnection -Count 1 -ComputerName $_.DNSHostName} Get-ADComputer -Filter * -Properties ``` {% endtab %} {% endtabs %} #### List all local groups on a machine (needs admin privs to query non-dc machines) {% tabs %} {% tab title="PowerView" %} ``` Get-NetLocalGroup -ComputerName dcorpdc.dollarcorp.moneycorp.local -ListGroups ``` {% endtab %} {% endtabs %} #### List members of local groups on a machine (needs admin privs on non-dc machines) {% tabs %} {% tab title="PowerView" %} ``` Get-NetLocalGroup -ComputerName dcorpdc.dollarcorp.moneycorp.local -Recurse ``` {% endtab %} {% endtabs %} #### Get actively logged on users on target (needs admin rights on target) {% tabs %} {% tab title="PowerView" %} ``` Get-NetLoggedon –ComputerName ``` {% endtab %} {% endtabs %} #### Get locally logged on users on target (needs remote registry enabled (started by default on servers)) {% tabs %} {% tab title="PowerView" %} ``` Get-LoggedonLocal -ComputerName dcorpdc.dollarcorp.moneycorp.local ``` {% endtab %} {% endtabs %} #### Get the last logged on user on target (needs admin rights and remote registry enabled) {% tabs %} {% tab title="PowerView" %} ``` Get-LastLoggedOn –ComputerName ``` {% endtab %} {% endtabs %} ## Files #### Find shares on hosts in current domain {% tabs %} {% tab title="PowerView" %} ``` Invoke-ShareFinder –Verbose ``` {% endtab %} {% endtabs %} #### Find sensitive files on computers within domain {% tabs %} {% tab title="PowerView" %} ``` Invoke-FileFinder –Verbose ``` {% endtab %} {% endtabs %} #### Get all file servers of domain {% tabs %} {% tab title="PowerView" %} ``` Get-NetFileServer ``` {% endtab %} {% endtabs %} ## GPO / OU #### Get list of GPO in current domain {% tabs %} {% tab title="PowerView" %} ``` Get-NetGPO Get-NetGPO -ComputerName dcorpstudent1.dollarcorp.moneycorp.local ``` {% endtab %} {% tab title="ADModule" %} ``` Get-GPO -All (GroupPolicy module) Get-GPResultantSetOfPolicy -ReportType Html -Path C:\Users\Administrator\report.html (Provides RSoP) ``` {% endtab %} {% endtabs %} #### Get GPO which use restricted groups or groups.xml for interesting users {% tabs %} {% tab title="PowerView" %} ``` Get-NetGPOGroup ``` {% endtab %} {% endtabs %} #### Get users which are in a local group of a machine using GPO {% tabs %} {% tab title="PowerView" %} ``` Find-GPOComputerAdmin –Computername dcorpstudent1.dollarcorp.moneycorp.local ``` {% endtab %} {% endtabs %} #### Find machines where given user is a member of a specific group {% tabs %} {% tab title="PowerView" %} ``` Find-GPOLocation -UserName student1 -Verbose ``` {% endtab %} {% endtabs %} #### Get OUs in a Domain {% tabs %} {% tab title="PowerView" %} ``` Get-NetOU -FullData ``` {% endtab %} {% tab title="ADModule" %} ``` Get-ADOrganizationalUnit -Filter * -Properties * ``` {% endtab %} {% endtabs %} #### Get GPO applied on an OU {% tabs %} {% tab title="PowerView" %} ``` Get-NetGPO -GPOname "{AB306569-220D-43FF-B03B83E8F4EF8081}" ``` {% endtab %} {% tab title="ADModule" %} ``` Get-GPO -Guid AB306569-220D-43FF-B03B-83E8F4EF8081 (GroupPolicy module) ``` {% endtab %} {% endtabs %} ## ACLs #### Get ACLs associated with a specific object {% tabs %} {% tab title="PowerView" %} ``` Get-ObjectAcl -SamAccountName student1 –ResolveGUIDs ``` {% endtab %} {% tab title="ADModule" %} ``` (Get-Acl 'AD:\CN=Administrator,CN=Users,DC=dollarcorp,DC=moneycorp ,DC=local').Access ``` {% endtab %} {% endtabs %} #### Get the ACLs associated with the specific prefix to be used for search {% tabs %} {% tab title="PowerView" %} ``` Get-ObjectAcl -ADSprefix 'CN=Administrator,CN=Users' -Verbose ``` {% endtab %} {% endtabs %} #### Get the ACLs associated with the specified LDAP path to be used for search {% tabs %} {% tab title="PowerView" %} ``` Get-ObjectAcl -ADSpath "LDAP://CN=Domain Admins,CN=Users,DC=dollarcorp,DC=moneycorp,DC=local" -ResolveGUIDs -Verbose ``` {% endtab %} {% endtabs %} #### Search for interesting ACEs {% tabs %} {% tab title="PowerView" %} ``` Invoke-ACLScanner -ResolveGUIDs ``` {% endtab %} {% endtabs %} #### Get the ACLs associated with the specified path {% tabs %} {% tab title="PowerView" %} ``` Get-PathAcl -Path "\\dcorp-dc.dollarcorp.moneycorp.local\sysvol" ``` {% endtab %} {% endtabs %} ## Trusts #### Domain Trust Mapping {% tabs %} {% tab title="PowerView" %} ``` Get-NetDomainTrust Get-NetDomainTrust –Domain us.dollarcorp.moneycorp.local ``` {% endtab %} {% tab title="ADModule" %} ``` Get-ADTrust Get-ADTrust –Identity us.dollarcorp.moneycorp.local ``` {% endtab %} {% endtabs %} #### Forest Mapping {% tabs %} {% tab title="PowerView" %} ``` Get-NetForest Get-NetForest –Forest eurocorp.local ``` {% endtab %} {% tab title="ADModule" %} ``` Get-ADForest Get-ADForest –Identity eurocorp.local ``` {% endtab %} {% endtabs %} #### Get all domains in current forest {% tabs %} {% tab title="PowerView" %} ``` Get-NetForestDomain Get-NetForestDomain –Forest eurocorp.local ``` {% endtab %} {% tab title="ADModule" %} ``` (Get-ADForest).Domains ``` {% endtab %} {% endtabs %} #### Get all global catalogues for the current forest {% tabs %} {% tab title="PowerView" %} ``` Get-NetForestCatalog Get-NetForestCatalog –Forest eurocorp.local ``` {% endtab %} {% tab title="ADModule" %} ``` Get-ADForest | select -ExpandProperty GlobalCatalogs ``` {% endtab %} {% endtabs %} #### Map trusts of a forest {% tabs %} {% tab title="PowerView" %} ``` Get-NetForestTrust Get-NetForestTrust –Forest eurocorp.local ``` {% endtab %} {% tab title="ADModule" %} ``` Get-ADTrust -Filter 'msDS-TrustForestTrustInfo -ne "$null"' ``` {% endtab %} {% endtabs %} ## Scripts #### Find all machines on the current domain where the current user has local admin access (This function queries the DC of the current or provided domain for a list of computers (Get-NetComputer) and then use multi-threaded Invoke-CheckLocalAdminAccess on each machine. Logon events for all machines, loud!) {% tabs %} {% tab title="PowerView" %} ``` Find-LocalAdminAccess –Verbose Alternative: Find-WMILocalAdminAccess.ps1 ``` {% endtab %} {% endtabs %} #### Find local admins on all machines of the domain (needs administrator privs on non-dc machines). (This function queries the DC of the current or provided domain for a list of computers (Get-NetComputer) and then use multi-threaded GetNetLocalGroup on each machine.) {% tabs %} {% tab title="PowerView" %} ``` Invoke-EnumerateLocalAdmin –Verbose ``` {% endtab %} {% endtabs %} #### Find computers where a domain admin (or specified user/group) has sessions. (This function queries the DC of the current or provided domain for members of the given group (Domain Admins by default) using Get-NetGroupMember, gets a list of computers (Get-NetComputer) and list sessions and logged on users (GetNetSession/Get-NetLoggedon) from each machine). {% tabs %} {% tab title="PowerView" %} ``` Invoke-UserHunter Invoke-UserHunter -GroupName "RDPUsers" ``` {% endtab %} {% endtabs %} #### Confirm admin access {% tabs %} {% tab title="PowerView" %} ``` Invoke-UserHunter -CheckAccess ``` {% endtab %} {% endtabs %} #### Find computers where a domain admin is logged-in. (This option queries the DC of the current or provided domain for members of the given group (Domain Admins by default) using GetNetGroupMember, gets a list *only* of high traffic servers (DC, File Servers and Distributed File servers) for less traffic generation and list sessions and logged on users (Get-NetSession/Get-NetLoggedon) from each machine.) {% tabs %} {% tab title="PowerView" %} ``` Invoke-UserHunter -Stealth ``` {% endtab %} {% endtabs %} ## PrivEsc #### Unconstrained Delegation {% tabs %} {% tab title="PowerView" %} ``` Get-NetComputer -UnConstrained Get-DomainUser -AllowDelegation -AdminCount ``` {% endtab %} {% tab title="ADModule" %} ``` Get-ADComputer -Filter {TrustedForDelegation -eq $True} Get-ADUser -Filter {TrustedForDelegation -eq $True} ``` {% endtab %} {% endtabs %} #### Constrained Delegation {% tabs %} {% tab title="PowerView" %} ``` Get-DomainUser –TrustedToAuth Get-DomainComputer –TrustedToAuth ``` {% endtab %} {% tab title="ADModule" %} ``` Get-ADObject -Filter {msDS-AllowedToDelegateTo -ne "$null"} -Properties msDS-AllowedToDelegateTo ``` {% endtab %} {% endtabs %} #### ASREP Roasting {% tabs %} {% tab title="PowerView" %} ``` Get-DomainUser -PreauthNotRequired -Verbose ``` {% endtab %} {% tab title="ADModule" %} ``` Get-ADUser -Filter {DoesNotRequirePreAuth -eq $True} Properties DoesNotRequirePreAuth ``` {% endtab %} {% endtabs %} #### Clear Passwords {% tabs %} {% tab title="PowerView" %} ``` $FormatEnumerationLimit=-1;Get-DomainUser -LDAPFilter '(userPassword=*)' -Properties samaccountname,memberof,userPassword | % {Add-Member -InputObject $_ NoteProperty 'Password' "$([System.Text.Encoding]::ASCII.GetString($_.userPassword))" -PassThru} | fl ``` {% endtab %} {% endtabs %}